What is WPA3, and why is it so important for Wi-Fi security?

The Wi-Fi Alliance has a new standard for Wi-Fi security and it will bring plenty of new features that make your data safer while using public or private Wi-Fi. It’s great when anything makes our data safer and WPA3 also happens to be a pretty significant step for wireless security in general.

We recently saw the details for WPA3 finalized, and that means manufacturers can now start properly supporting it in new products as well as look into updating older ones. We won’t be able to benefit from it right away, but it’s definitely something to look forward to!

What is WPA?

WPA stands for Wi-Fi Protected Access. Think of WPA as a set of rules designed to protect your Wi-Fi router, all the things that use it to connect to that router, and all the traffic that’s sent through those devices. How it works is one of the instances where two devices don’t need to know any "secret" details of the other because a middle layer can communicate with each.

If you have a password on your Wi-Fi at home, you’re probably using WPA to secure the network.

If you’re using WPA, your router login is protected by a passphrase and the data you send to it and receive from it are encrypted. WPA is the service that looks at what you used as the password on your phone or laptop when you tried to log into a Wi-Fi router, compares it to the password the router requires, and if they match it connects you and handles data decryption. Security in layers like this (the password you use is also not really the password and only generates a token that the router can check for validity) means no important information is sent in plain text. In this case, that important information would be your Wi-Fi network password.

Almost every one of us is using WPA on Wi-Fi at home or in public right now. WPA2 is the current standard. It came about in 2004 and was a big improvement over what we used prior, but like all things, it’s beginning to show its age. WPA3 addresses most of the areas where WPA2 needs to be updated.

Changes in WPA3

There are some pretty sizable changes coming with WPA3, and they all are the good kind of changes. We love it when that happens!

Your password will be a lot harder to crack. With WPA2 someone can grab data you send and receive from a Wi-Fi network then try to decrypt it by using a brute-force attack (guessing over and over and over until they get it right) on your password. With WPA3 every password guess will need to be authenticated live, in real time, by the router you’re trying to connect with.

Connecting IoT (Internet of Things) devices will be easier than ever. Ever try to set up a device without a screen? It usually involves using your phone with a direct connection, then interacting through the phone with the thing you’re trying to get connected, and finally entering the network details so they are written to whatever it is you want to be connected to your Wi-Fi. WPA3 has what’s called "Wi-Fi Easy Connect" that will let you do it by scanning a QR code with a phone on the same network. It’s like Wi-Fi Protected Setup but without all the security vulnerabilities and it will actually work.

Data captured without knowing your password is useless even if someone gets that password later. Forward secrecy is a new feature that means data collected and saved isn’t able to be decrypted later. This makes saving data from a connection an attacker can’t hijack is useless. Attackers won’t be bothered to save useless things.

Public hotspots will be a lot more secure. WPA3 means even open connections will encrypt data between you and the access point. This is huge. Right now, with WPA2, if you go somewhere with an open Wi-Fi access point (one where you don’t need a password) the data between you and the access point isn’t encrypted. This is how someone can see what you post on Facebook (as well as your name and password when you sign in) if you’re using Wi-Fi at McDonald’s. You won’t believe how incredibly easy it is to do, which is why it desperately needed some sort of fix. Encrypting that traffic is the best fix anyone could have asked for.

Stronger encryption for Enterprise-grade Wi-Fi. WPA3 Personal mode will use 128-bit encryption by default. WPA3 Enterprise mode will use 192-bit encryption by default and PSK (the Pre-Shared Key system) is replaced with SAE (Simultaneous Authentication of Equals). If you don’t know what any of that means don’t feel bad about it, most people who aren’t Enterprise IT Professionals don’t because they have no need.

A Pre-Shared Key system is where two things use the same credentials to connect with each other (like a password). Those credentials had to have been shared with two or more people/things manually before you tried to use them to authenticate.

Simultaneous Authentication of Equals is a system where a pre-shared key and the MAC addresses of both things that want to connect are used to authenticate based on the calculation of finite cyclic groups. That’s a big math nerd thing about calculations that even normal math nerds don’t understand.

I told you we didn’t need to know these two things.

When can I use WPA3?

Not any time soon.

The companies who manufacturer things that use Wi-Fi, like a router or your phone or a fancy alarm clock, are working on building it into their products. That means their new products — the ones we can buy next year in 2019.

Optimists say WPA3 will be widespread in 2019.

The Wi-Fi Alliance says to expect late 2019 to be when there is a significant adoption of WPA3. I expect it to be much, much later but think we will be able to buy WPA3 products and build a network in Spring 2019.

We know "smarter" devices like your phone will be compatible but are only guessing when it comes to smart plugs or garage door openers because of how they are set up. There could be some fun times getting WPA2 IoT devices connected to a newer WPA3 capable router, even though it is backward compatible.

We’ll know more once we start to see products show up at Amazon.

Will my phone be updated to work with WPA3?

Doubtful. Phones are what’s called a power-restrained device. That means everything they can do is limited by (and must be built to optimize for) a small rechargeable battery. The chips inside your phone that handle things like encryption algorithms and Wi-Fi encoding/decoding are only as powerful as they need to be right now. WPA3 will beef up the encryption level to 128-bit minimum which will mean it needs more processing power to calculate in real-time. In other words, even your super-fast phone that you have in your hands right now won’t be fast enough to do it.

But that’s OK. While we all want better security for our phones and know that WPA3 provides it, WPA2 will be supported and updated as needed by the Wi-Fi Alliance as necessary for a long time. It also means that a router or access point that is WPA3 capable will also be WPA2 compatible for a long time.

What router do you recommend right now?

You won’t be able to buy a router that is built to work with WPA3 for a while. We expect to see some made available in late 2018, but if you need a new router waiting that long isn’t the best solution.

For most of us, Google Wifi is the best router available today.

Right now I would recommend you buy a Google Wifi mesh router setup. It’s currently one of the most secure (read: patched very quickly with no need for you to do anything) routers and unless you have very specific needs a three-pack means everywhere in your house has really fast Wi-Fi.

It’s also one of the very few routers I expect to see updated to use WPA3, simply because Google loves the darn things and the company tends to keep working on ways to make them better. A three-pack costs about $260 at Amazon and you can set it up in no time at all using the Google Wifi app through your existing Google account.

When WPA3-ready routers become available, you can bet we’ll be back here to talk about them!